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Response to Amendment filed 8/31/2006 

1. Claims 3, 5-6, 9-13, 15-19, 21, 29-30, 32-37 are presented for examination. 

Response to Arguments 

2. Applicant's arguments with respect to claims 3, 5-6, 9-13, 15-19, 21, 29-30, 32-37 have been 
considered but are moot in view of the new ground(s) of rejection. 

Information Disclosure Statement 

3 . The information disclosure statement (IDS) submitted 9/3 1/06, 1 1/3/06 are in compliance with 
the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by 
the examiner. 

Claim Rejections - 35 USC § 102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis 
for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 2 1 (2) of such treaty in the English language. 

5. Claims 5, 15, 19, 21, 29-30, 32-37 rejected under 35 U.S.C. 102(e) as being anticipated by Chen 
et al, US Publication #2003/0191703 (Chen hereinafter). 



6. As per claim 15, Chen teaches the invention as claimed including a method of controlling access 
to user specific information for use in a network computer system including a web-services provider, a 
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user of a service provider by the web-services provider, and a client of the web-services provider, said 
method of controlling access to the user-specific information, Chen's teachings comprising: 

operatively receiving at the web-services provider a request from the client to access the certain 
user-specific information in the data store wherein the web-services provider maintaining a data store of 
user-specific information associated with the user, said user-specific information accessible by the user 
and having access by the client controlled by the user, said client seeking access to certain of the user- 
specific information in the data store (Paragraph 0085; 0136. Client account data is stored on data 
aggregation system. Paragraphs 0137-0138. Web server receives request from third parties to access 
client account data.); 

generating an intended use request by the client of the certain user-specific information in the 
data store (Paragraph 0138. Interested party sends login request comprising name, id, and password. 
Paragraph 0139. Identification/authentication used to identify intentions of accessing specific client 
accounts.); 

determining an allowed level of access permitted by the user (Paragraph 0138. Interested party 
identification and authentication is stored. Paragraph 0139. Access permission page indicates client 
accounts accessible by requesting interested party. Paragraphs 0164; 0171. Set of client access 
permissions. Paragraph 0172. Select access level); 

comparing the generated intended use request with the determined allowed level of access 
(Paragraph 0139. Determine if interested party's identification/authentication is valid.); 

invoking a consent engine in response to the client's request if the generated intended use request 
is outside the allowed level of access, said consent engine informing the user of the client's request to 
access the certain user-specific information in the data store and inviting the user to permit or to deny the 
client's request to access the certain user-specific information in the data store (Paragraphs 0171; 0175- 
0176. Client may be prompted to change (or grant) interested party access permissions.); and 
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completing the request from the client to access the certain user-specific information in the data 
store when the generated intended use request by said client of the certain user-specific information is 
within the determined allowed level of access by the user (Paragraph 0139. If 

identification/authentication information is valid, permissions page including accessible client accounts 
are transmitted.). 

7. As per claim 29, Chen teaches the invention as claimed including a system for controlling access 
to user-specific information in a network computing environment, Chen's teachings comprising: 

a web-services provider (Paragraph 0136. Data aggregation system.); 

a user of a service of the web-services provider, the web-services provider maintaining a data 
store of user-specific information associated with the user (Paragraphs 0136; 0139. Client account data.), 
said user-specific information accessible by the user and having access by the client controlled by the user 
(Paragraph 0138. Interested party requests to access client account data.), and a set of default access 
preferences defining a list of default access permissions allowed by the user (Paragraphs 0164; 017 1- 
0172. Access level set by client.); 

a client of the web-services provider, said client generating a request to access to certain of the 
user-specific information associated with the user said request identifying an intended use by the client of 
the certain user-specific information in the data store (Paragraph 0138. Interested party sends login 
request comprising name, id, or password. Paragraph 0139. Identification/authentication identifies 
intentions of accessing specific client accounts.); 

an access control engine operatively receiving the client request to access the certain user-specific 
information and dynamically creating an access control rule by comparing the set of default access 
preferences with the intended use by the client, said access control rule granting the requested access by 
the client to the certain user-specific information if the intended use of the client of the certain user- 
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specific information is within the list of default access permissions defined by the set of default access 
preferences allowed by the user (Paragraph 0139. If identification/authentication information is valid, 
permissions page including accessible client accounts are transmitted. Paragraph 0164. Access level is 
assign to interested party.); and 

a consent engine generating an option list in response to the client's request for user-specific 
information having at least one entry based on the intended use by the client of the user-specific 
information in the data store (Paragraphs 0138; 0144. Interested party requests access client account.), 
said consent engine displaying on the display interface of the network communication device an option 
menu reflecting the generated option list, said option menu prompting the user to accept or reject at least 
one option displayed on the option menu using the selection interface of the network communication 
device (Paragraphs 0171; 0175-0176. Client may be prompted to change (or grant) interested party 
access permissions. Provides list of potential interested parties whom the client may choose to grant 
access.). 

8. As per claim 5, Chen teaches the system of claim 32 wherein creating the access control rule 
comprises updating a list of permissions such that said list of access permissions reflects whether the user 
accepted or rejected the at least one option (Paragraphs 0174; 0175. Update client permission settings.). 

9. As per claim 19, Chen teaches the method of claim 15 further comprising denying the client 
access to the requested certain user-specific information in the data store if the determined intended use is 
outside the allowed level of access (Paragraph 0139. If identification/authentication is valid, interested 
party is given access. Paragraph 0171. "no access" level). 
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10. As per claim 21, Chen teaches one or more computer-readable media having computer- 
executable instructions for performing the method recited in claim 15 (Paragraph 0053. Data aggregation 
system comprises servers application software instructions.). 

11. As per claim 30, Chen teaches the system of claim 29 further comprising a network 
communication device having a display interface and a selection menu and wherein the user 
communicates with the web-services provider via the network communication device (Paragraphs 0 1 72; 
0174; 0176. User selects access level with web server.). 

12. As per claim 32, Chen teaches the system of claim 29 wherein the network communication device 
generates a selection signal indicative of whether the user accepted or rejected the at least one option 
displayed on the option menu (Paragraphs 0171; 0174; 0176. Grant interested party access and select 
access level. Send client permission settings to web server.). 

13. As per claim 33, Chen teaches the system of claim 29 wherein the consent engine provides a 
consent signal having a parameter indicative of whether the user accepted or rejected the at least one 
option and wherein the access control engine receives the consent signal, said access control engine 
granting the requested access if the consent signal indicates that the user accepted the at least one option 
(Paragraphs 0171; 0174; 0176. Grant interested party access and select access level. Send client 
permission settings to web server.). 

14. As per claim 34, Chen teaches the system of claim 33 wherein the access control engine denies 
the requested access if the consent signal indicates that the user rejected the at least one option 
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(Paragraphs 0171; 0176. Delete potential interested parties. Set "no access" level for client access 
permissions.). 

15. As per claim 35, Chen teaches the system of claim 29 further comprising an authentication engine 
authenticating a digital identity of the user and wherein the access control engine denies the requested 
access if the digital identity of the user is not authenticated by the authentication engine (Paragraph 0139. 
Determine if authentication is valid.). 

16. As per claim 36, Chen teaches the system of claim 29 further comprising a client intentions 
document identifying the intended use by the client of the user-specific information in the data store 
(Paragraph 0138. Request may comprise name, identification umber, or password.). 

17. As per claim 37, Chen teaches the system of claim 36 further comprising: 

a network communication device having a display interface and a selection menu and wherein the 
user communicates with the web-services provider via the network communication device (Paragraphs 
0042; 0172. Client terminal may be a web-enabled personal computer to display graphical user interface. 
Client user selects access level.); and 

a consent engine retrieving the client intentions document and generating an option list having at 
least one entry therein based on the intended use identified in the intentions document, said consent 
engine displaying on the display interface of the network communication device an option menu 
reflecting the generated option list, said option menu prompting the user to accept or reject at least one 
option displayed on the option menu using the selection interface of the network communication device 
(Paragraphs 0175-0176. Client terminal displays list of potential interested parties. Client chooses to 
grant access.). 
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Claim Rejections - 35 USC § 103 

18. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

19. Claims 3, 10, 13, 16-17 are rejected under 35 U.S.C. 103(a) as being unpatentable over Chen, in 
view of Kramer et al, US Patent #5,414,852 (Kramer hereinafter). 

20. As per claims 3, 16, 17, Chen teaches of a client's request to access the certain user-specific 
information in the data store. However, Chen does not specifically teach the system of claim 29 wherein 
the client's request identifies a desired subject matter to be accessed and a method of accessing the 
desired subject matter and wherein comparing the set of default access preferences with the intended use 
by the client further comprises determining if the set of default access preferences permits the client to 
access the desired subject matter; and determining if the set of default access preferences permits the 
identified method of accessing the desired subject matter. Kramer teaches of a requesting identifying a 
data object, i.e. desired subject matter, and the type of access for the data object (Col 5, lines 25-3 1) and 
determining if access rules permits the identified type of access of the data object (Col 4, lines 1-5; Col 5, 
lines 28-34). 

21 . It would have been obvious to one of ordinary skill in the art at the time the invention was made 
to combine the teachings of Chen and Kramer because the teachings of Kramer to identify a desired 
subject matter to accessed and a method of accessing the desired subject matter, and determine if access 
rules permits the identified method of access with the desired subject matter would improve the teachings 
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of Chen by providing a user with additional access control of user-information including setting different 
types of secure access to specific information. 

22. As per claim 10, Chen teaches of requesting access to user-specific information. However, Chen 
does not specifically teach the system of claim 29 wherein the client identifying a request form of access 
to the user-specific information in the data store and the access control engine granting the requested 
access to the certain user-specific information in the data store if the user has granted said form of access 
requested by the client comprises permitting the client to read the requested user-specific information in 
the data store and permitting the client to write the requested user-specific information in the data store. 
Kramer teaches of sending a request comprising a request type to a data object, wherein the data object 
may be any type of object, and granting the access to read the data object and write the data object (Col 2, 
lines 41-46; Col 4, lines 1-5, 52-55; Col 5, lines 26-41). 

23 . It would have been obvious to one of ordinary skill in the art at the time the invention was made 
to combine the teachings of Chen and Kramer because the teachings of Kramer to grant a form of access 
requested by the client comprising permitting a client to read the requested information and permit the 
client to write the requested information in the data store would improve the teachings of Chen by 
providing a user with additional access control of user-information including setting different types of 
secure access to specific information. 

24. As per claim 13,' Chen teaches the system of claim 29 wherein creating the access control rule to 
permit the client to have access to the certain user-specific information in the data store if the default 
access permissions permit the identified intended use comprises creating the access control rule to permit 
the client to read the certain user-specific information in the data store (Paragraphs 0139; 0172; 0175. 
User selects access level for interested party. Interested party is granted access to client account data.). 
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However, Chen does not specifically teach of creating the access control rule to permit the client to write 
the certain user-specific information in the data store. Kramer teaches of creating an access control rule 
to permit clients to write data objects, wherein data objects may be any type of object (Col 2, lines 42-45; 
Col 4, lines 1-5, 52-55). 

25. It would have been obvious to one of ordinary skill in the art at the time the invention was made 
to combine the teachings of Chen and Kramer because the teachings of Kramer to create an access control 
rule to permit clients to write data objects would improve the teachings of Chen by providing additional 
administrative control of user-information, thus allowing a user to set various access privileges to user- 
information. 

26. As per claim 18, Chen teaches of the method of claim 17 further comprising: creating an access 
filter defining an extent to which the user permits access to the type of information within the certain 
user-specific information in the data store; and wherein completing the request from the client to access 
the certain user-specific information in the data store when the generated intended use request is within 
the determined allowed level of access further comprises: applying the access filter to the certain user- 
specific information in the data store to create a filter information set; and permitting the client to access 
the filtered information set (Paragraph 0164. User assigns access level to a given interested party. Levels 
of access includes no access, summary view access, account detailed view access.). However, Chen does 
specifically teach of permitting a form of access of the user-specific information in the data store. Kramer 
teaches of sending a request comprising a access type to a data object, wherein the data object may be any 
type of object, and granting the access type to the data object, e.g. read and write (Col 2, lines 41-46; Col 
4, lines 1-5, 52-55; Col 5, lines 26-41). 
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27. It would have been obvious to one of ordinary skill in the art at the time the invention was made 
to combine the teachings of Chen and Kramer because the teachings of Kramer to permit a form of access 
to specific information in the data store would improve the teachings of Chen by providing a user with 
additional access control of user-information including setting different types of secure access to specific 
information. 

28. Claim 6 is rejected under 35 U.S.C. 103(a) as being unpatentable over Chen, in view of Ukelson, 
US Patent #6,338,096 (Ukelson hereinafter). 

29. As per claim 6, Chen does not specifically teach the system of claim 29 wherein the client 
determining if the client has . a local copy of the certain user-specific information in the data store before 
transmitting the request, the client retrieving said local copy of the certain user-specific information if the 
local copy is available, the client determining if said local copy of the certain user-specific information is 
current, and transmitting the request only if said local copy of the certain user-specific information is not 
available and not current. Ukelson teaches of determining if a client has a local copy of information in 
the data store before transmitting the request (Col 9, lines 9-14 ), the client retrieving the local copy of the 
information if the local copy is available (Col 9, lines 15-17), the client determining if the local copy of 
the information is current (Col 9, lines 17-24), and transmitting the request only if the local copy of the 
information is not available and not current (Claim 6; Col 9, lines 21-23, 35-38). 

30. It would have been obvious to one of ordinary skill in the art at the time the invention was made 
to combine the teachings of Chen and Ukelson because the teachings of Ukelson to determine if a client 
has a local copy of information in the data store before transmitting the request, the client retrieving the 
local copy of the information if the local copy is available, the client determining if the local copy of the 
information is current, and transmitting the request only if the local copy of the information is not 
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available and not current would improve the system of Chen by reducing the transmission of data over the 
network and delay associated with receiving data (Col 3, line 66-Col 4, line 2), and allowing only 
authorized access to information on the network (Col 9, line 45-49). 

3 1 . Claim 9 is rejected under 35 U.S.C. 103(a) as being unpatentable over Chen, in view of Desai et 
al 5 US Patent #6,820,204 (Desai hereinafter). 

32. As per claim 9, Chen does not specifically teach the system of claim 29 wherein the access 
control engine determining if the client has an access subscription right to the certain user-specific 
information in the data store and the access control engine permitting the client to have access to the 
certain user-specific information in the data store if the client has the access subscription right to the 
certain user-specific information in the data store. Desai teaches of registering to access user profile data, 
wherein registered third parties receive user profile data (Col 9, lines 1-4, 42-52). 

33 . It would have been obvious to one of ordinary skill in the art at the time the invention was made 
to combine the teachings of Chen and Desai because the teachings of Desai for registered clients to 
receive user information, i.e. subscribe to user information, would improve the system of Chen by 
allowing interested parties to receive updates to the user information and may subsequently use user 
information to functions such as processing electronic transactions (Col 9, lines 40-47, 53-67). 

34. Claims 1 1-12 are rejected under 35 U.S.C. 103(a) as being unpatentable over Chen and Kramer, 
in view of Erickson et al, US Publication #2003/0081791 (Erickson hereinafter). 

35 . As per claim 1 1, Chen teaches of permitting the client to read the requested user-specific 
information in the data store (Claim 1). However, Chen does not specifically teach the system of claim 
10 wherein transmitting a copy of the accessed certain user-specific information to the client in a SOAP 
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message. Erickson teaches of transmitting messages according to the SOAP protocol (Page 2, Paragraph 
21). 

36. It would have been obvious to one of ordinary skill in the art at the time the invention was made 
to combine the teachings Chen, Kramer, and Erickson because the teachings of Erickson to use the SOAP 
protocol in sending messages would improve the efficiency of the system of Chen and Kramer by 
providing a simplified protocol for exchanging structured information on the web (Microsoft Computer 
Dictionary, Fifth Edition, 2002). 

37. As per claim 12, Chen and Kramer taught of permitting the client to write certain user-specific 
information in the data store. However, Chen does not specifically teach the system receiving at the web- 
services provider a SOAP message from the client identifying the certain user-specific information and 
writing the identified certain user-specific information in the data store. Erickson teaches of transmitting 
messages according to the SOAP protocol (Page 2, Paragraph 21). 

38. It would have been obvious to one of ordinary skill in the art at the time the invention was made 
to combine the teachings of Chen, Kramer, and Erickson because the teachings of Erikson to use the 
SOAP protocol in sending messages would improve the efficiency of the system of Chen and Kramer by 
providing a simplified protocol for exchanging structured information on the web (Microsoft Computer 
Dictionary, Fifth Edition, 2002). 

Conclusion 

39. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office 
action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is 
reminded of the extension of time policy as set forth in 37 CFR 1 .136(a). 
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40. A shortened statutory period for reply to this final action is set to expire THREE MONTHS from 
the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing 
date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
shortened statutory period, then the shortened statutory period will expire on the date the advisory action 
is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later than SIX 
MONTHS from the date of this final action. 

41 . Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to Joshua Joo whose telephone number is 571 272-3966. The examiner can normally be 
reached on Monday to Friday 7 to 4. 

42. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Nathan J. Flynn can be reached on 571 272-1915. The fax phone number for the organization where this 
application or proceeding is assigned is 571-273-8300. 

43. Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained 
from either Private PAIR or Public PAIR. Status information for unpublished applications is available 
through Private PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on^ccess to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll 




November 20, 2006 
JJ 



